| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 4 Jan 2007 13:47:00 -0500
From: Rob Sherwood <capveg@...umd.edu>
To: Pieter de Boer <pieter@...darkside.nl>
Cc: Michal Zalewski <lcamtuf@...ne.ids.pl>,
bugtraq@...urityfocus.com, full-disclosure@...sys.com
Subject: Re: a cheesy Apache / IIS DoS vuln (+a question)
On Thu, Jan 04, 2007 at 12:45:35PM +0100, Pieter de Boer wrote:
> Michal Zalewski wrote:
> > 2) Negotiate a high TCP window size for each of the connections (1 GB
> > should be doable),
> >
> For instance, FreeBSD by default has TCP send buffers set to 32KB. It
> does not (apart from recent work) do dynamic buffer sizing. 32KB is all
> you get. Sysadmins probably raise this value, but, especially with large
> amounts of connections, it can't be set too high or mbufs will run out.
> I'd guess people wouldn't set it to much more than 1MB or such.
Correct. rfc2414 says the initial sender window should be:
min (4*MSS, max (2*MSS, 4380 bytes))
So you can't just connect, request, and drop the connection to get a GB
of traffic. The attacker must send acks periodically.
> Concluding, I think your suggested attack might work, but it would need
> a braindead configuration on the sender's end to be really effective.
> It's probably easier just to send some ACKs now and then..
This is exactly the attack described in CERT Advisory [VU#102014]
(http://www.kb.cert.org/vuls/id/102014)
and:
Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse
Rob Sherwood, Bobby Bhattacharjee, Ryan Braud
Published in Computer and Communications Security (CCS) 2005
(http://www.cs.umd.edu/~capveg/optack/optack-ccs05.pdf)
- Rob Sherwood
.
Powered by blists - more mailing lists